Information Security Disconnect: RSA, USB, AV, and reality

The world's largest information security event, the annual RSA Conference, is over for another year. Most of the more than 18,000 people who attended the 2012 gathering are probably back home now, getting ready to go into the office. What will be top of mind for them, apart from "How did I manage to survive 5 days of non-stop security-speak?"

This was the twenty-first year the event was held and, if the last 20 years are anything to go by, one thing that most conference attendees are not thinking about right now is the enormous gap between security discourse at the show and security reality down at street level. To illustrate my point I will contrast one unhelpful platitude I heard last week, with something that happened to a friend of mine on the last day of the show, something that directly links data security to life and death.

First, the platitude: "You don't need antivirus any more." This piece of nonsense was suggested to me in several conversations I had with attendees on the floor of the RSA exhibition hall. It has also been discussed in the Wired article: Is Antivirus Software a Waste of Money?

If you read between the lines you get the picture: Some security experts figure they are safe enough without AV. But listen closely and I doubt you will hear anyone willing to stake their career on advising companies, in a professional capacity, to abandon AV protection. (You also have to wonder exactly what AV software those experts were using that let them down so badly they want to abandon this basic layer of information protection.)

Now to my friend's street-level information security experience. She was walking her dog near the courthouse in a city of considerable size (that will remain nameless to protect the innocent, the guilty, and the accused). On the sidewalk she sees a USB stick and picks it up. Seeing nobody around, and thus unable to determine ownership of the device or any data that it might contain, she takes it home and plugs it into her forensic computer (at which point I need to stress that you should not try this at home–my friend is a computer security expert and the computer she used for this task is not an ordinary one, although it is equipped, as all computers should be, with AV software that automatically scans USB devices when you insert them–she's not one of those "you don't need AV" security experts).

There were no viruses on the device, but there were dozens of documents, mainly Microsoft Word .doc and Adobe .pdf files. Judging by the file names she figured they contained some serious legal content. So next comes the moral dilemma: Do I try to open a file or two to determine ownership, thereby risking accusations of "snooping" from the owner when I get their drive back to them? And what is the alternative? It's hard to imagine a classified ad or flyer stapled to the neighborhood telephone poles that says "Found: One USB drive containing over 200Kb of legal documents, please call me if you think it belongs to you."

My friend did not reveal what was in the two documents she opened, and from which she was able to determine who owned the drive (which has now been reunited with its owner). All she said was: "It was serious stuff, scary life and death stuff that's likely to be in the news soon and frankly I was very uncomfortable that it was in my possession."

So, as thousands of security experts continue to absorb all they heard at RSA last week about the cutting edge technologies that will take information security to the next level, I'm scratching my head and asking myself: Why were the files on that USB device not encrypted? After all, they were created with two applications that are capable of file encryption: Microsoft Word and Adobe Acrobat.

Ignore the chorus of crypto experts who pipe up saying "those encryption schemes have been hacked." That is surely not the point. The point is that twenty-one years after the first RSA Conference, big name criminal attorneys and the para-legals they employ don't yet understand enough about information security to take cheap, basic, and practically-effective defensive measures. Makes you wonder just how much of an impact the information security industry has really had.

Perhaps security experts should take a break from grabbing media attenton with contrarian views on basic data protection like antivirus software and spend some time talking security to mere mortals at street-level. Indeed, maybe it's a good moment for us all to think about the reality of what information security means to most people today. Here's one thing it shouldn't mean: an unencrypted USB key holding someone's life or death, lying on the sidewalk.

Hi Stephen,
I work for RSA but the opinion I will express here is my own, as a reader of security articles and one that has some basic knowledge. The story of the USB and connecting it with the RSA conference theme is just not right for me. One has little to do with the other. The RSA conference is a natural habitat for people who are at the top of the security world. None there can say in any of the speeches anything less than avant-garde or at least something new, or they would get laughed off the podium.
The opinions of participants about using AV are also their own. RSA, as part of the title of this article, always and at all times recommends using Anti-Virus as part of a layered security doctrine and has AV partners who provide services to RSA as well. RSA also always recommends encryption on all devices, e-mail, all sensitive files, definitely on access via USB that can be easily misplaced/stolen/lost.
Now, to that everyday person that loses a USB key/a phone/ a laptop on the street… None can ever control the choice of action of the end-user. That same end-user may have had all the knowledge in the world but that day rushed out to a meeting, threw the files on the USB and ran… it's just 1 example. There are many more… As to your friend’s choice to stick the USB key into her PC – people's curiosity and other human emotions make them stick USB keys into their PCs and at times that is an infection strategy for those who plan APT attacks. Had there been a sophisticated Trojan on that USB key, most chances are that not even the AV would have detected it.

Educating the public about digital threats and the ways they can defend themselves depends largely on what they are willing to learn and to apply to their everyday life. RSA works with its customers to educate end users, conducts webinars to that effect, provides information and advises on how to communicate that information. Yet, at the end of the day, as cybercriminals like to put it: they go for the human–the weakest link.

Stephen Cobb

Limor — Many thanks for your thoughtful comments, they are much appreciated, particularly your endorsement of Anti-Virus as part of a layered security doctrine.

First let me assure you that I don't hold RSA responsible in any way for poor security decisions by end-users. Nor do I consider RSA responsible for the views expressed by RSA Conference attendees. Few companies have done more than RSA over the last two decades to improve data security technology and advance the information assurance profession.

The annual RSA Conference is an amazing event and, increasingly, something of a cultural phenomenon. As such I felt it appropriate to use RSAC as a symbol of the very impressive advances that have been made in security technology over the last 21 years with the reality of information security "trickledown." Clearly, the world's shortcomings in the adoption of information security best practices are not RSA's responsibility. Indeed, RSA has played a major role in helping evolve and promulgate those best practices. My call was to information security professionals, many of the best of whom attend your event, to bear in mind the gap between what is possible in data protection and what still happens in the real world.

As to specifics, I certainly agree that exceptional malware can defeat most anti-virus software and, thanks to your input, I am going to add a "do not try this at home" disclaimer to the post to make it clear than one should not insert a "found USB drive" into one's computer (unless you happen to be a trained professional, which my friend is, a fact that I have also clarified in the post).

Finally, given that ESET's NOD32 has never failed to spot a piece of "in the wild" malware since VB testing began in 1998, we could debate exactly what chance "a sophisticated Trojan on that USB key" would stand against NOD32's heuristic detection capabilities. But you make an important point that deserves reiteration: One should not rely on AV software alone for malware protection and, just like RSA, ESET recommends the industry best practice of using AV software as part of a defense-in-depth strategy. With respect to USB drives in particular, I should note that ESET products provide control over autorun features to block this path of infection, ironically one that was already a challenge back in the days of that first RSA Data Security Conference. I look forward to attending many more of them.

Alex

Why am I not surprised?

Obvisously ESET will say not having an AV is ridiculus.

But just to make sure, how long did it take you guys to get one for MacOS…and when is the Linux version comming?

David Harley

Actually, there are scenarios where AV _may_ not be necessary, and OS’s where malware is scarce is one of them. There are already Linux versions of ESET software.